Managed SOC in Mumbai · 24×7 BFSI

Mumbai BFSI Managed SOC has to do three demanding things at once: meet the operational requirements of RBI's April 2024 Cyber Resilience and Master Direction on IT Governance; produce SEBI CSCRF and IRDAI Information & Cyber Security reporting on the same evidence base; and detect the specific attack patterns that hit Indian banks at the scale of SBI / HDFC / ICICI / Kotak / Axis — UPI mule-account mapping, treasury-workstation anomalies, broker-desk credential abuse, ATM-switch and card-personalisation vendor activity, contact-centre bulk-customer-data access, and SWIFT BIC-level transaction monitoring on the small subset of clients that operate cross-border. A SOC built for a generic enterprise customer cannot do this. The detection content has to be Indian-BFSI-native.

Our Mumbai SOC operates as a co-managed extension to the client's SIEM — Splunk Enterprise / Cloud, Microsoft Sentinel, Google Chronicle / SecOps or IBM QRadar — with shared detection-engineering ownership. The bank's CISO retains control of every rule, every parser, every dashboard. We provide the 24x7 L1 / L2 analyst coverage, the threat-hunting cadence, and an integrated incident-response retainer staffed by the same engineers. The Macksofy analyst bench is split across Mumbai BKC (the primary location and the same building as our HQ) and a secondary site so single-point-of-failure questions during the procurement walk-through have a real answer. Onsite analyst hours at the client's BKC / Lower Parel / Andheri MIDC / Powai / Belapur SOC are part of the engagement, not extra.

Detection content is explicitly BFSI-tuned and pattern-grounded in the actual fraud and intrusion patterns we have seen on Indian-bank estates between 2023 and 2026. The UPI layer: mule-account graph detection (multi-VPA fan-out, account-aggregator velocity, beneficiary-cluster anomalies), transaction-velocity outliers per-payee and per-payer, mandate-creation abuse on the AutoPay rail, and the UPI Lite / RuPay credit-on-UPI specific patterns that arrived with the 2024-25 NPCI guideline updates. The net-banking layer: transaction-flow tampering, OTP / 2FA bypass attempts, beneficiary-addition velocity, reconciliation-layer anomalies and the long tail of mobile-banking app re-packaging attacks. The treasury / SWIFT layer: anomalous workstation behaviour on the SWIFT-attached endpoints, MT103 / MT202 message-volume outliers, BIC-pair velocity anomalies, and the APT38-style banking-malware indicators that have hit south-Asian banks in the 2023-25 cycle. The broker / AMC layer: broker-terminal logon anomalies, OMS / RMS order-pattern oddities, algo-API authorisation-flow misuse, and the market-data-feed tampering paths SEBI CSCRF expects detected. The card layer: ATM-switch vendor activity anomalies, card-personalisation vendor command-and-control, and the FASTCash-variant detection that south-Asian banks need post-2024.

We layer this Indian-BFSI-native content on top of the CrowdStrike Falcon / Splunk SES / Microsoft Sentinel content-pack baseline and the MITRE ATT&CK enterprise + cloud + ICS matrix coverage. Every detection is mapped to MITRE technique and sub-technique, the specific RBI Cyber Resilience clause it supports, and the SEBI CSCRF / IRDAI clause where applicable — so the monthly board-grade pack writes itself from the alert ledger. The threat-hunt cadence runs weekly against the bank's data and the named-threat advisories the bank's CISO subscribes to (Mandiant, Recorded Future, Group-IB, FS-ISAC / Indian-BFSI-ISAC equivalent, the OEM-provided feeds).

Monthly reporting is in the format RBI / SEBI / IRDAI inspectors expect to read during the next supervisory visit — incident counts by severity, mean-time-to-detect (MTTD), mean-time-to-respond (MTTR), detection-engineering backlog status, named-threat coverage, top suppressed-alert classes with rationale, and the regulator-style SOC composition disclosure (analyst-bench size, shift redundancy, escalation chain). The CSITE Cell follow-up examination of a Mumbai bank typically reads exactly this format, and we ship that way deliberately. Annual third-party VAPT of the SOC itself, the SIEM and the EDR estate is included in the multi-year retainer.

Integrated incident response is built in — the same engineers running L2 / L3 detection lead containment if an alert escalates to incident. No warm-handover, no separate IR practice with a separate retainer. The IR runbook is jointly maintained with the bank's IT-security team. Quarterly tabletop exercises against Mumbai BFSI scenarios — UPI mule wave, treasury-workstation compromise, broker-terminal credential theft, ATM-switch vendor compromise, contact-centre bulk-exfiltration, partner-fintech API abuse surge — are run for the bank's executive and operations teams. The annual red-vs-blue exercise pits our SOC analysts against Macksofy's red-team practice (run as a separate-team Chinese-wall engagement under purple-team rules) and the joint after-action review feeds the next year's detection-engineering backlog.

Onsite analyst hours at the bank's BKC, Lower Parel, Andheri MIDC, Powai or Belapur SOC are part of the engagement footprint, not a separate line item. Most clients use them for handover during the in-house team's leave windows, for the sensitive-incident-handling that has to be physically inside the bank's SOC (typically when DFIR-grade evidence preservation is needed and the data cannot leave the bank's network), and for the quarterly RBI Cyber Resilience supervisory visits where the regulator's inspection team wants the SOC analyst present and reachable. The BKC-anchored bench means the onsite presence is hours, not days, to mobilise.

Commercial terms align with the Mumbai BFSI procurement norm. Multi-year retainer, banded SIEM-ingestion footprint, transparent named-resource pricing for the analyst bench, the standard breach-notification clauses RBI / SEBI / IRDAI mandate, and the explicit detection-engineering IP-transfer clause so every rule, parser and playbook stays in the bank's tenant at the end of the engagement. No vendor-proprietary content-pack lock-in, no exit cost. The bank's CISO can lift-and-shift the SOC content into a different MSSP at any renewal — we design the engagement to be portable on purpose, and that is what keeps the retainer honest.